Handling java.lang.IllegalArgumentException: caused by Control character in cookie value

Question

Recently I have deployed a web site where I store cookies in browser with product name as cookie value. But some products has control characters in their name. As a result when those product names are saved in cookie an IllegalArgumentException caused by Control character in cookie value thrown.

 java.lang.IllegalArgumentException: Control character in cookie value or attribute.
        at org.apache.tomcat.util.http.CookieSupport.isHttpSeparator(CookieSupport.java:169)
        at org.apache.tomcat.util.http.Cookies.getTokenEndPosition(Cookies.java:493)
        at org.apache.tomcat.util.http.Cookies.doProcessCookieHeaderOriginal(Cookies.java:283)
        at org.apache.tomcat.util.http.Cookies.processCookieHeader(Cookies.java:233)
        at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:141)
        at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:1163)
        at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:914)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:532)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1081)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
        at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

Some idea is in my mind that I have to encode the name before store in the cookies.

But the problem is that the many user already faced the problem cannot browse the site.

Is there is any way to handling the exception without changing the cookie value or there is any way to delete the old cookies which were problematic or any other else.

Answer 1

Regarding future cookies, your solution is simply to URL-encode or Base64-encode the value before setting it in the cookie, and then URL-decode or Base64-decode it at read.

Regarding existing users that have "poisoned" cookies, it notably depends on your application design and frameworks.

An approach could be to configure Tomcat to allow such values (which could possibly have side-effects depending on how you use the actual values). You might be interested in the ALLOW_HTTP_SEPARATORS_IN_V0 or the ServerCookie.STRICT_NAMING configuration properties.

See the specs here http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Specification for all the tweakeable properties.

Depending on what characters are sent ("control characters" is a little vague :) ) this might do the trick.

Another solution would be to manage the issue client-side : simply delete problematic cookies with Javascript. With Angular you could simply $cookies.remove('poisonedCookie'); If you don't know what cookies are problematic, I suggest to loop on each of them, and at the detection of a control character, delete it.

There could be other server-side solutions (like intercepting IllegalArgumentException , check message content and if it is cookie-related, remove the cookie) but this would require more details of your app + the 2 other above propositions will probably do the trick in an easier manner.

Another solution (not great..) is to switch to a Tomcat version that accepts such characters (any Tomcat before 7). But changing the tomcat properties is certainly a better way to achieve this, by far